Skip to content

Chore/dependabot wave1#35

Merged
deepagent-ai merged 2 commits into
devfrom
chore/dependabot-wave1
Jul 9, 2026
Merged

Chore/dependabot wave1#35
deepagent-ai merged 2 commits into
devfrom
chore/dependabot-wave1

Conversation

@deepagent-ai

Copy link
Copy Markdown
Contributor

Issue for this PR

Closes #

Type of change

  • Bug fix
  • New feature
  • Refactor / code improvement
  • Documentation

What does this PR do?

Please provide a description of the issue, the changes you made to fix it, and why they work. It is expected that you understand why your changes work and if you do not understand why at least say as much so a maintainer knows how much to value the PR.

If you paste a large clearly AI generated description here your PR may be IGNORED or CLOSED!

How did you verify your code works?

Screenshots / recordings

If this is a UI change, please include a screenshot or recording.

Checklist

  • I have tested my changes locally
  • I have not included unrelated changes in this PR

If you do not follow this template your PR will be automatically rejected.

deepagent-ai and others added 2 commits July 9, 2026 15:32
Same-major version bumps that resolve Dependabot alerts without any
breaking-change risk. minimatch is deliberately deferred (it intersects
active code-indexer work); astro 5→6, nitro, wrangler, and the
@astrojs/cloudflare 13.x major are deferred to a later wave.

- turbo 2.8.13 → 2.9.14 (medium)
- @astrojs/cloudflare 12.6.3 → 12.6.6 (clears the high <12.6.6 advisory;
  the 13.1.10 low is left for the astro-6 wave)
- @hey-api/openapi-ts 0.90.10 → 0.97.3 (medium, dev)
- @babel/core 7.28.4 → 7.29.6 (low, dev)

Lockfile regenerated; turbo/openapi-ts run at the new versions and all
four resolve in bun.lock. No source changes.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Clears all 16 dompurify Dependabot alerts (15 medium + 1 low). They
persisted because the root workspaces.catalog and packages/ui both pinned
3.3.1, below the 3.4.11 that covers every advisory upper bound
(<=3.4.10 → 3.4.11 is the highest). Bumped both pins together.

3.3 → 3.4 is a minor with security hardening, no API breaks. The only
consumer (packages/ui markdown.tsx) uses stable surface only —
isSupported, addHook("afterSanitizeAttributes"), sanitize(html, config)
with USE_PROFILES/FORBID_TAGS/ADD_TAGS — all unchanged in 3.4.

Verified: dompurify resolves to a single 3.4.11 in bun.lock; ui typecheck
clean; API surface intact. No source changes.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@deepagent-ai
deepagent-ai merged commit 9363145 into dev Jul 9, 2026
4 of 11 checks passed
@deepagent-ai
deepagent-ai deleted the chore/dependabot-wave1 branch July 9, 2026 08:06
deepagent-ai added a commit that referenced this pull request Jul 9, 2026
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

This PR doesn't fully meet our contributing guidelines and PR template.

What needs to be fixed:

  • No "Type of change" checkbox is checked. Please select at least one.
  • No issue referenced. Please add Closes #<number> linking to the relevant issue.
  • "How did you verify your code works?" section is empty. Please explain how you tested.
  • Not all checklist items are checked. Please confirm you have tested locally and have not included unrelated changes.

Please edit this PR description to address the above within 2 hours, or it will be automatically closed.

If you believe this was flagged incorrectly, please let a maintainer know.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Hey! Your PR title Chore/dependabot wave1 doesn't follow conventional commit format.

Please update it to start with one of:

  • feat: or feat(scope): new feature
  • fix: or fix(scope): bug fix
  • docs: or docs(scope): documentation changes
  • chore: or chore(scope): maintenance tasks
  • refactor: or refactor(scope): code refactoring
  • test: or test(scope): adding or updating tests

Where scope is the package name (e.g., app, desktop, deepagent-code).

See CONTRIBUTING.md for details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant